audit collector startup help
LC Bruzenak
lenny at magitekltd.com
Tue Sep 9 18:47:01 UTC 2008
On Tue, 2008-09-09 at 14:36 -0400, DJ Delorie wrote:
> > Is there a HOWTO for activating the 1.7.5 aggregating feature?
>
> Just the man pages.
>
> > I believe that the collector needs to uncomment the lines
> > in /etc/auditd/auditd.conf and the senders/clients need to set
> > active=yes, remote=<IP-address> in the audisp-remote.conf file.
>
> The collector needs the listener configured in /etc/audit/auditd.conf:
>
> tcp_listen_port = 1237
>
> The clients need the audisp-remote module enabled and configured:
>
> /etc/audisp/plugins.d/au-remote.conf:
> active = yes
>
> /etc/audisp/audisp-remote.conf:
> remote_server = 192.16.1.12 (your server's IP, not mine ;)
> port = 1237 (or use some other port, up to you)
> transport = tcp
>
> Additional options:
> format = managed
> network_retry_time = 1
> max_tries_per_record = 10
> max_time_per_record = 7
>
> You'll have to enable the connection through tcp_wrappers as well, if
> you have that option enabled, as well as whatever firewall rules may
> apply.
>
Thanks for the above.
I am only looking at the server/collector startup right now.
> > However, my collector auditd fails on start;
>
> Messages?
Not real helpful so far (/var/log/messages - any other place?):
Sep 9 13:41:15 fryspc auditd[3786]: Init complete, auditd 1.7.5
listening for events (startup state enable)
Sep 9 13:41:15 fryspc auditd[3786]: Cannot bind tcp listener socket to
port 1237
Sep 9 13:41:15 fryspc auditd[3786]: The audit daemon is exiting.
Thx!
LCB.
--
LC (Lenny) Bruzenak
lenny at magitekltd.com
More information about the Linux-audit
mailing list